← Home
Terms of ServicePrivacy PolicyRefund Policy

Privacy Policy

Effective date: May 26, 2026
Last updated: May 26, 2026

Orosy is software — it does not hold, process, or settle funds. Any payments are handled by third-party payment providers (e.g., Stripe, Toss Payments) that you connect to your own account, and money flows directly between you and your customer. Orosy is not a payment processor, payment facilitator, or merchant of record.

Orosy (the "Company") values users' personal data and strives to comply with the Personal Information Protection Act (Korea) and core GDPR principles. This policy applies to the shop-operations automation SaaS platform (the "Service") provided by the Company.

Company Information

  • Company: Funnygrow
  • Representative: Gibeom Kim
  • Business registration no.: 502-54-00590
  • Address: 605-23, 6F, 52, Dolma-ro, Bundang-gu, Seongnam-si, Gyeonggi-do, Republic of Korea 13630
  • Contact: support@orosy.io

Article 1 (Personal Data We Collect)

1.1 User (shop operator) data

  • Required at sign-up: email, password (stored encrypted), name, mobile phone number
  • Shop information: shop name, industry, address, business hours, staff information (name, role)
  • At payment: payment method details (card numbers are handled directly by the payment provider and are not stored by the Company), business registration number
  • Collected automatically during use: IP address, cookies, access logs, device information (browser, OS)

1.2 End-user (shop customer) data

  • When social channels are connected: per-channel identifiers (e.g., Instagram ID), conversation content
  • When entered by the shop operator: name, contact, visit history, shop notes
  • At booking: booking date/time, service items, payment information (once payment features are enabled)

1.3 Collection methods

  • Entered directly by the user during sign-up, use of the Service, or customer support
  • Received automatically through connected social channels (e.g., Instagram)
  • Generated automatically during use of the Service (logs, cookies)

Article 2 (Purposes of Use)

  1. Service provision: member identification, shop-operations automation, booking/CRM/payment features
  2. AI auto-replies: generating AI responses to end-user messages (processed by Vertex AI)
  3. Customer management: processing data so the user (shop operator) can serve their own customers
  4. Billing: usage measurement, payment processing, refund processing
  5. Service improvement: usage-pattern analysis (excluding personally identifying data), new-feature development, error tracking
  6. Customer support: responding to inquiries, delivering notices
  7. Legal compliance: fraud prevention, dispute resolution, compliance with applicable laws

Article 3 (Retention and Use Periods)

ItemRetention periodBasis
Member informationUntil withdrawalDeleted immediately upon user request
Shop / customer data30 days after withdrawalTo allow recovery from accidental withdrawal
Payment records5 yearsE-Commerce Act, Article 6
Access logs3 monthsProtection of Communications Secrets Act
Consumer complaint / dispute records3 yearsE-Commerce Act, Article 6

Article 4 (Provision to Third Parties)

The Company does not provide personal data to third parties without the user's consent, except in the following cases:

  • When the user has consented in advance
  • When required by law or a lawful request from an investigative authority
  • When processed so that individuals cannot be identified, for statistics or academic research

Article 5 (Outsourcing of Processing)

The Company may entrust personal-data processing to the following providers to operate the Service:

ProcessorEntrusted workCross-border transfer
Google Cloud / FirebaseService infrastructure, data storageUSA (Korea storage possible when using the asia-northeast3 region)
Google Vertex AIAI response generationUSA
ZernioSocial channel integration (Instagram/WhatsApp, etc.)Overseas
HapioBooking engineEurope (Sweden)
SentryError monitoringUSA
SendGrid (or equivalent)Email deliveryUSA
PaddlePayment processing (global)UK / EU
Toss PaymentsPayment processing (Korea)Republic of Korea (domestic)

Outsourcing contracts stipulate the measures necessary for processors to handle data safely in accordance with the Personal Information Protection Act.

Article 6 (Cross-Border Transfer)

The Company transfers some personal data abroad to use global cloud infrastructure. The destination country, time and method of transfer, recipient, purpose of use, and retention period follow the processor table in Article 5.

Users have the right to refuse the cross-border transfer of their personal data; in that case, some features of the Service may be limited.

Article 7 (Rights of Users and Legal Representatives)

Users may exercise the following rights at any time:

  • Right to access personal data
  • Right to correct errors
  • Right to deletion
  • Right to suspend processing
  • Right to data portability (data export)

These rights can be exercised directly in the in-app account settings page (/settings/account) or by request via the contact below.

Article 8 (Cookies and Tracking Technologies)

The Company uses cookies and similar technologies to improve the Service and the user experience.

  • Essential cookies: authentication, session maintenance (login is not possible if refused)
  • Analytics cookies: usage-pattern analysis (Google Analytics, PostHog, etc.)
  • Monitoring cookies: error tracking (Sentry Session Replay)

You can block cookies in your browser settings, but some features of the Service may be limited.

Article 9 (Security Measures)

  • Encryption: passwords use one-way hashing (Firebase Auth); communications use HTTPS
  • Access control: dual verification via Firestore security rules and backend middleware
  • Privilege management: operator data access follows the principle of least privilege
  • Log retention: all data-access records are kept (audit trail)
  • Incident response: immediate isolation and user notification upon discovering a breach

Article 10 (Data Protection Officer)

The Company designates a person responsible for personal-data inquiries and handling:

  • Officer: Gibeom Kim
  • Email: support@orosy.io

In addition, personal-data infringement can be reported to the following Korean authorities:

  • Personal Information Protection Commission (privacy.go.kr)
  • Privacy Infringement Report Center (privacy.kr / 182, no area code)
  • Supreme Prosecutors' Office Cybercrime Division (spo.go.kr / 02-3480-3573)

Article 11 (Policy Changes)

This policy may be revised in response to changes in law, policy, or security technology. Revisions are announced at least 7 days before the effective date (30 days for changes unfavorable to users).

For questions about this document, contact support@orosy.io.

© 2026 Orosy. All rights reserved.